Hello,
I'm getting a lot of this exploit prevention : invalid call wich was detected as an attempt to exploit C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE or C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\CHROME.EXE
I want to know if it's a false alarm or if you are aware of this problem.
Any help would be really appreciated!
thanks
Hello,
Both IEXPLORER and CHROME fall under the list of possible Buffer Overflow affected applications but bear in mind that such vulnerabilities are fixed in the background from their vendors.
I do not see full details of the event you get but at first sight it seems that external process tried to reach memory used by these processes. Since they both interact with OS components it is possible that it is a legitimate event but in case you suspect malicious activity you can run a GetSusp on that machine, clean the browsers cache and run a full scan.
Hello,
thanks for your response
you can see below the complete event :
2019-02-27 12:07:02 timestamp="2019-02-27 12:07:02.607", AutoID="399916666", signature="ExP:Invalid Call", threat_type="IDS_THREAT_TYPE_VALUE_BOP", signature_id="18055", category="hip.bo", severity_id="2", event_description="A suspicious call was detected and blocked", detected_timestamp="2019-02-27 12:05:22.0", file_name="C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\PLUGIN-CONTAINER.EXE", target_hash="a839ebb5d127a9872a897fe81c2a861b", detection_method="Exploit Prevention", vendor_action="blocked", AnalyzerContentCreationDate="2019-01-31 22:45:48.0", AnalyzerContentVersion="10.6.0.8966", AnalyzerRuleID="6013", AnalyzerRuleName="Suspicious Function Invocation - CALL Not Found", SourceDescription="C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\PLUGIN-CONTAINER.EXE --CHANNEL=205868.119.1156748700\1582519969 C:\USERS\DIETZTR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F608DHH5.DEFAULT\GMP-WIDEVINECDM\4.10.1196.0 -GREOMNI C:\PROGRAM FILES (X86)\MOZILLA FI", TargetSigned="1", TargetSigner="C=US, S=CALIFORNIA, L=MOUNTAIN VIEW, O=MOZILLA CORPORATION, CN=MOZILLA CORPORATION", TargetParentProcessSigned="1", TargetParentProcessSigner="C=US, S=CALIFORNIA, L=MOUNTAIN VIEW, O=MOZILLA CORPORATION, CN=MOZILLA CORPORATION", TargetParentProcessName="FIREFOX.EXE", TargetParentProcessHash="79b2c84686d2aa43ad202d3bfd2013b0", TargetName="PLUGIN-CONTAINER.EXE", TargetPath="C:\PROGRAM FILES (X86)\MOZILLA FIREFOX", TargetFileSize="103376", TargetModifyTime="2018-12-07 0
I don't inderstand the reason of this invalid call
would you have an explanation for this ?
thanks,
regards,
Hello,
To me it looks like false positive because both source and target are clearly Mozilla processes.
You can fid additional information here:
https://support.mozilla.org/bg/kb/what-is-plugin-container
Also it seems there is a know behavior with rule 6015 and event id 18055:
https://kc.mcafee.com/corporate/index?page=content&id=KB90074
For additional information this is the rule description:
Signature 6015
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA